Tuesday, February 3, 2015

Elite Hackers Aren't Elite Coders, Lack QA

Sophos today released a technical paper by Gabor Szappanos, principal researcher at SophosLabs that demonstrates that many highly effective hacking groups associated with malware and advanced persistent threats (APTs) appear to lack an understanding of the technical exploits they use. They also fail to adequately test their exploits for effectiveness before unleashing them on their victims.

Szappanos evaluated the malware and APT campaigns of several groups that all leveraged a particular exploit — a sophisticated attack against a specific version of Microsoft Office. He found that none of the groups were able to modify the attack enough to infect other versions of Office, even though several versions were theoretically vulnerable to the same type of attack. Many groups' efforts to modify the initial exploit resulted in buggy code or minimal changes to the original exploit. Interestingly, the APT groups — often billed as the most sophisticated of attackers — showed the lowest proficiency in both modification and QA. It was the "mainstream" or "opportunistic" criminal groups that were most effective in revising the code to suit their purposes.
The author points out, however, that these groups are in many cases still highly effective in infecting their targets and getting what they want (typically data or money). To use a physical world simile, it's like they're able to use lockpicks effectively, but they're unable to effectively modify the lockpicks or craft new styles.

Here is a link to the paper.